Microsoft Word Intruder revealed: New SophosLabs research goes inside a malware creation kit

SophosLabsSophosLabs researcher Gabor Szappanos is at it again, with new research exploring and explaining the mechanics of a malware creation kit that was used in a series of campaigns between May and August 2015.

Gabor has been tracking the development of malware used in advanced persistent threat (APT) campaigns over the past couple of years, including PlugX and other document-based attacks.

This time, he cracks open the case of an intriguing malware construction kit available in underground cybercrime markets: Microsoft Word Intruder (MWI).

Continue reading

Sophos detects 100% of Android malware in independent test – for the sixth time in a row

AV-Test mobile certifiedI have some great news for users of Sophos Mobile Security, our Android antivirus and security app. Independent IT security institute AV-Test has awarded Sophos another perfect protection score in a July 2015 test of mobile antivirus applications – the sixth test in a row where we scored 100% detection.

Although we’ve aced this Android security test every time for the past year, this particular test was actually quite different from the previous tests run by AV-Test. And we think the difference is really important.

Continue reading

A closer look at the Angler exploit kit

SophosLabsOver the past few years exploit kits have been widely adopted by criminals looking to infect users with malware. They are used in a process known as a drive-by download, which invisibly directs a user’s browser to a malicious website that hosts an exploit kit.

The exploit kit then proceeds to exploit security holes, known as vulnerabilities, in order to infect the user with malware. The entire process can occur completely invisibly, requiring no user action.

In this research article we will take a closer look at one of the more notorious exploit kits used to facilitate drive-by downloads – a kit known as Angler exploit kit (Angler hereafter).

Continue reading

Crowdsourcing threat intelligence with download reputation

SophosLabsLast week, we mentioned that application control is now available as part of a Sophos Cloud public beta. The beta also introduces a new next-generation endpoint protection feature called download reputation.

While it may not sound flashy, download reputation is an important step forward in protecting users from advanced threats, like zero-day malware designed to evade traditional antivirus defenses.

Download reputation crowdsources threat intelligence by drawing on the experience of our global customer base to help determine a file’s reputation. In other words, every user with download reputation enabled helps contribute to the collective security of our customers.

Let’s take a look at how download reputation works.

Continue reading

Google search poisoning – old dogs learn new tricks

SophosLabsThese days, every company knows that having its website appear at the top of Google’s results for relevant keyword searches makes a big difference in traffic and helps the business. Numerous search engine optimization (SEO) techniques have existed for years and provided marketers with ways to climb up the PageRank ladder.

In a nutshell, to be popular with Google, your website has to provide content relevant to specific search keywords and also to be linked to by a high number of reputable and relevant sites. (These act as recommendations, and are rather confusingly known as “back links,” even though it’s not your site that is doing the linking.)

Google’s algorithms are much more complex than this simple description, but most of the optimization techniques still revolve around those two goals. Many of the optimization techniques that are being used are legitimate, ethical and approved by Google and other search providers. But there are also other, and at times more effective, tricks that rely on various forms of internet abuse, with attempts to fool Google’s algorithms through forgery, spam and even hacking.

Continue reading

Sophos at Infosec 2015: Attack demonstrations, intelligent security, crypto explained and more

infosecurity-europe-2015Europe’s biggest security event is upon us. If you’re attending Infosecurity Europe 2015, we hope you’ll join us at stand D260 to check out our great products, grab one of our cool giveaways, and see entertaining presentations from our respected experts.

One of our top experts will also be featured on the keynote stage, where James Lyne, Sophos global head of security research, will show you live attack demonstrations in his talk “How to Hack an Enterprise: Exploitation for Beginners.” James is also a member of the advisory board for the Intelligent Defence technical research conference taking place alongside Infosec.

The theme of Infosec this year is “Intelligent Security: Protect. Detect. Respond. Recover.” We agree that security should be intelligent – that’s why Sophos products are designed to prevent attacks based on suspicious behaviors, and detect and isolate infections when they do happen.

Continue reading

Which countries top the new Dirty Dozen spam list?

spamp-2015-q1-150SophosLabs tracks huge volumes of spam from around the world, and once in a while we pause to take a look at the countries sending the most spam  – we call it our Dirty Dozen Spampionship.

In the results for the most recent quarter (January, February and March 2015), we found that the biggest spam-relaying country in the world is the United States, once again. Vietnam has climbed to number two, followed by Ukraine, Russia, South Korea, and China rounding out the top six.

Check out the rest of the list and you see some familiar places and some countries that come and go from the Dirty Dozen:

Continue reading